Fix OS-specific path separator

anhnmt · anhnmt · commit d76e9dc2c170 · 2024-08-18T09:40:30.000+07:00
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 *~
+.idea
 *.DS*
 *.zip
 *.rar
diff --git a/7z.go b/7z.go
@@ -68,10 +68,10 @@ func extract7z(xFile *XFile) (int64, []string, []string, error) {
 		if err != nil {
 			lastFile := xFile.FilePath
 			/* // https://github.com/bodgit/sevenzip/issues/54
-			// We can probably never get the file with the error.
-			if volumes := sevenZip.Volumes(); len(volumes) > 0 {
-				lastFile = volumes[len(volumes)-1]
-			} */
+			   // We can probably never get the file with the error.
+			   if volumes := sevenZip.Volumes(); len(volumes) > 0 {
+			   	lastFile = volumes[len(volumes)-1]
+			   } */
 			return size, files, sevenZip.Volumes(), fmt.Errorf("%s: %w", lastFile, err)
 		}
 
@@ -84,7 +84,8 @@ func extract7z(xFile *XFile) (int64, []string, []string, error) {
 
 func (x *XFile) un7zip(zipFile *sevenzip.File) (int64, error) { //nolint:dupl
 	wfile := x.clean(zipFile.Name)
-	if !strings.HasPrefix(wfile, x.OutputDir) {
+	outputDir := filepath.Clean(x.OutputDir)
+	if !strings.HasPrefix(wfile, outputDir) {
 		// The file being written is trying to write outside of our base path. Malicious archive?
 		return 0, fmt.Errorf("%s: %w: %s (from: %s)", zipFile.FileInfo().Name(), ErrInvalidPath, wfile, zipFile.Name)
 	}
diff --git a/iso.go b/iso.go
@@ -69,8 +69,9 @@ func (x *XFile) uniso(isoFile *iso9660.File, parent string) (int64, []string, er
 
 func (x *XFile) unisofile(isoFile *iso9660.File, fileName string) (int64, []string, error) {
 	destFile := x.clean(fileName)
-	//nolint:gocritic // this 1-argument filepath.Join removes a ./ prefix should there be one.
-	if !strings.HasPrefix(destFile, filepath.Join(x.OutputDir)) {
+	outputDir := filepath.Clean(x.OutputDir)
+	//nolint:gocritic // this 1-argument filepath.Clean removes a ./ prefix should there be one.
+	if !strings.HasPrefix(destFile, outputDir) {
 		// The file being written is trying to write outside of our base path. Malicious ISO?
 		return 0, nil, fmt.Errorf("%s: %w: %s != %s (from: %s)",
 			x.FilePath, ErrInvalidPath, destFile, x.OutputDir, isoFile.Name())
diff --git a/rar.go b/rar.go
@@ -92,8 +92,9 @@ func (x *XFile) unrar(rarReader *rardecode.ReadCloser) (int64, []string, error)
 		}
 
 		wfile := x.clean(header.Name)
-		//nolint:gocritic // this 1-argument filepath.Join removes a ./ prefix should there be one.
-		if !strings.HasPrefix(wfile, filepath.Join(x.OutputDir)) {
+		outputDir := filepath.Clean(x.OutputDir)
+		//nolint:gocritic // this 1-argument filepath.Clean removes a ./ prefix should there be one.
+		if !strings.HasPrefix(wfile, outputDir) {
 			// The file being written is trying to write outside of our base path. Malicious archive?
 			return size, files, fmt.Errorf("%s: %w: %s != %s (from: %s)",
 				x.FilePath, ErrInvalidPath, wfile, x.OutputDir, header.Name)
diff --git a/tar.go b/tar.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 
 	lzw "github.com/sshaman1101/dcompress"
@@ -102,7 +103,8 @@ func (x *XFile) untar(tarReader *tar.Reader) (int64, []string, error) {
 		}
 
 		wfile := x.clean(header.Name)
-		if !strings.HasPrefix(wfile, x.OutputDir) {
+		outputDir := filepath.Clean(x.OutputDir)
+		if !strings.HasPrefix(wfile, outputDir) {
 			// The file being written is trying to write outside of our base path. Malicious archive?
 			return size, files, fmt.Errorf("%s: %w: %s (from: %s)", x.FilePath, ErrInvalidPath, wfile, header.Name)
 		}
diff --git a/zip.go b/zip.go
@@ -27,7 +27,7 @@ func ExtractZIP(xFile *XFile) (int64, []string, error) {
 			return size, files, fmt.Errorf("%s: %w", xFile.FilePath, err)
 		}
 
-		files = append(files, filepath.Join(xFile.OutputDir, zipFile.Name)) //nolint: gosec
+		files = append(files, filepath.Join(xFile.OutputDir, zipFile.Name)) // nolint: gosec
 		size += fSize
 	}
 
@@ -36,7 +36,8 @@ func ExtractZIP(xFile *XFile) (int64, []string, error) {
 
 func (x *XFile) unzip(zipFile *zip.File) (int64, error) { //nolint:dupl
 	wfile := x.clean(zipFile.Name)
-	if !strings.HasPrefix(wfile, x.OutputDir) {
+	outputDir := filepath.Clean(x.OutputDir)
+	if !strings.HasPrefix(wfile, outputDir) {
 		// The file being written is trying to write outside of our base path. Malicious archive?
 		return 0, fmt.Errorf("%s: %w: %s (from: %s)", zipFile.FileInfo().Name(), ErrInvalidPath, wfile, zipFile.Name)
 	}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`*~`
	`2`	`+.idea`
`2`	`3`	`.DS`
`3`	`4`	`*.zip`
`4`	`5`	`*.rar`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ func ExtractZIP(xFile *XFile) (int64, []string, error) {`
`27`	`27`	`return size, files, fmt.Errorf("%s: %w", xFile.FilePath, err)`
`28`	`28`	`}`
`29`	`29`
`30`		`- files = append(files, filepath.Join(xFile.OutputDir, zipFile.Name)) //nolint: gosec`
	`30`	`+ files = append(files, filepath.Join(xFile.OutputDir, zipFile.Name)) // nolint: gosec`
`31`	`31`	`size += fSize`
`32`	`32`	`}`
`33`	`33`
`@@ -36,7 +36,8 @@ func ExtractZIP(xFile *XFile) (int64, []string, error) {`
`36`	`36`
`37`	`37`	`func (x XFile) unzip(zipFile zip.File) (int64, error) { //nolint:dupl`
`38`	`38`	`wfile := x.clean(zipFile.Name)`
`39`		`- if !strings.HasPrefix(wfile, x.OutputDir) {`
	`39`	`+ outputDir := filepath.Clean(x.OutputDir)`
	`40`	`+ if !strings.HasPrefix(wfile, outputDir) {`
`40`	`41`	`// The file being written is trying to write outside of our base path. Malicious archive?`
`41`	`42`	`return 0, fmt.Errorf("%s: %w: %s (from: %s)", zipFile.FileInfo().Name(), ErrInvalidPath, wfile, zipFile.Name)`
`42`	`43`	`}`